Hackers are phishing and you must not take the bait

The recent ransomware attack on the NHS amongst others, will again focus attention on cyber-crime, with particular attention paid to the rise of phishing attacks.

When phishing, criminals use innocent looking emails to gain the trust of the reader, who will then often unwittingly allow the hackers access to secure systems or disclose confidential information. And unfortunately, the criminals have realised the weakest link in any organisation’s IT system, is the people that use it.

Is your organisation cyber-safe?

Every business knows the risks posed by a cyber-attack, but are you doing all you can to protect against one?

To ensure you can defend against an attack, consider:

  • Do you offer all staff cyber-security awareness training and cover the latest methods?
  • Do your employees know what to look out for?
  • Does every employee, whatever their role, always have the correct information available, to ensure they make the right decisions.
  • Could an attack be identified and stopped at source, before any damage is done?
  • Could your business respond quickly and recover from an attack?
  • Would a successful attack cause long-term harm?
  • What would be the impact of data being stolen or ransomed?
  • Do your suppliers and customers take cyber security seriously?
  • Is vital information backed-up appropriately to allow your business to recover quickly

Anyone you find within your business that does not take the threat seriously is a risk to the future of your business. You must explain phishing to them and how to combat it.

Phishing your own employees is a good way to find out how they will react to a real attack.

How to recognise a phishing email

Criminals will typically get all the details they need to undertake an attack, through social engineering; scouring personal social media channels or your website and company social media feeds.

The modern need to share means we often reveal more than we should and it can be used against us. Criminals will find the information needed to create emails that closely imitate communications from trusted sources like colleagues, clients and suppliers.

Regardless of who an email appears to be from, assess each one carefully before opening:

  • The sender - Look very carefully. Do you know who this is? Is this their usual email address or just a similar one?
  • Subject – Give your emails meaningful subject lines and expect the same. Does the subject look unusual or unexpected? Be wary of spelling mistakes and irrelevant, extraordinary or poorly written subject lines.
  • Content - Phishing emails typically ask the recipient to do something, like visit a website, send some seemingly innocuous data or simply reply to the email. Be particularly wary of emails that claim to be from a computer company, trade body, government department or financial services organisation.
  • Tone - Criminals will use emotional language in messages delivered with a sense of urgency to ensure you respond, like claiming you risk being fined. Beware if there is no personal greeting, as most legitimate organisations you deal with know your name and any account numbers you have, often including partial information to reassure you.
  • Links - Links in emails can easily be disguised. They might take you to malicious websites that resemble genuine sites, like your Hotmail or Mobile accounts.
  • Attachments - Ask yourself if you recognise the format of the attachment. Does the email mention the attachment and what to do with it? Are you expecting an attachment? Attachments can transmit viruses, so open only when necessary and with caution.

There is no point creating a list of recent popular attack methods used by cyber-criminals, because the hackers approach changes so quickly and believing you know what to expect, can lead to complacency.

Phish your people first

To really drive home the importance of always being on your guard against cyber-attacks, specialist service providers like Quiss will regularly conduct simulated phishing attacks on your employees to help address this growing threat.

Working closely with you, they will create believable looking emails that appear to come from contacts your employees will recognise. The recipients will be unaware they are being tested, but hopefully word will spread when a few have been caught out, which will raise awareness of the risk for everyone.

The service records how employees respond to the ‘fake’ phishing email and notes who took what actions; whether they opened the email, clicked links, downloaded attachments, etc.
Comprehensive reports identify areas for improvement and reveal those people who are regularly caught by the fake attack. This will help you concentrate your training on those that need support most.

Whilst no one wants to overstate the threat, only a change in security culture, based on more education and regular testing will cut the number of employees likely to be caught by a well-disguised phishing attack, which could devastate an organisation.

Event Diary

The largest flood exhibition and conference in the world is coming to London’s ExCeL in September.

World of Learning will feature even more opportunities to discover the latest in learning and development (L&D) with over 100 exhibitors, The Technology Test Drive, Learning Design Live, live workshops, one-to-one consultations, free seminars and its renowned annual conference.